Harnessing the Power of Hyper-V Network Virtual Switches

For any virtualization administrator that's ever found Hyper-V's network virtual switch's capabilities to be a bit on the confusing side, we have the perfect server tutorial for you.

Many virtualization administrators get confused with Hyper-V network virtual switch's capabilities. A network virtual switch in Hyper-V operates at Layer 2. Apart from operating at Layer 2, it maintains a MAC table that contains the MAC addresses of all the virtual machines connected to it.

A Virtual Switch created on Hyper-V can have unlimited Virtual Machines connected to it, and the virtual switch operates in one of two modes: Trunk Mode or Access Mode. There are three types of virtual switches that can be created in Hyper-V: External, Private and Internal Virtual Network Switch.

External Virtual Network Switch allows communication between virtual machines running on the same Hyper-V Server, Hyper-V Parent Partition and Virtual Machines running on the remote Hyper-V Server. It requires a physical network adapter on the Hyper-V Host that is not mapped to any other External Virtual Network Switch. As a result, you can create External virtual switches as long as you have physical network adapters that are not mapped to any other external virtual switches.

Internal Virtual Network Switch can be used to allow communication between virtual machines connected to the same switch and also allow communication to the Hyper-V Parent Partition. You can create any number of internal virtual switches.

Private Virtual Network Switch allows communication between virtual machines connected to the same virtual switch. Virtual Machines connected to this type of virtual switch cannot communicate with Hyper-V Parent Partition. You can create any number of Private virtual switches.

As stated earlier, Hyper-V Virtual Network Switches can be configured to work in either Access Mode or Trunk Mode, as is the case with a physical switch. These two modes are co-related with the VLAN ID Tagging system.

Only External and Internal Virtual Switches can be configured in Trunk Mode and Access Mode. You can assign a VLAN ID to these switches but an option for assigning a VLAN ID to a Private Network Virtual Switch is not available.

In Trunk Mode, a virtual switch will listen to all the network traffic and forward the traffic to all the ports. In other words, network packets are sent to all the virtual machines connected to it. By default, a virtual switch in Hyper-V is configured in Trunk Mode, which means the virtual switch receives all network packets and forwards them to all the virtual machines connected to it. There is not much configuration needed to configure the virtual switch in Trunk Mode.

In Access Mode, the virtual switch receives network packets in which it first checks the VLAN ID tagged in the network packet. If the VLAN ID tagged in the network packet matches the one configured on the virtual switch, then the network packet is accepted by the virtual switch. Any incoming network packet that is not tagged with the same VLAN ID will be discarded by the virtual switch.

Configuring a Virtual Switch in Access Mode

To configure a virtual switch in Access Mode, first open the Virtual Switch Manager. Next, select the virtual switch you want to configure and click the "Enable VLAN identification for management operating system" check box, as shown in the below screenshot.

Finally, specify the VLAN ID in the text box as shown in the red circle in the below screenshot. This configuration will force the virtual switch to receive network packets which are tagged with the VLAN ID which is configured on the virtual switch.

To better illustrate this with an example, let's say there are three virtual machines running on a Hyper-V Server: VM1, VM2 and VM3. VM1 and VM2 are configured with a VLAN ID 4, and VM3 is configured with a VLAN ID 5.

These virtual machines are connected to an External Virtual Switch called "vSwitch1" that, in turn, is configured with a VLAN ID 4 (configured in the Access Mode) as shown in the below image.

As you can see above, Virtual Switch (vSwitch1), which is an External Virtual Network Switch, is configured in Access Mode. Since it is configured in Access Mode, it can only receive network packets that are tagged with the VLAN ID 4.

Hyper-V Network Virtual Switch Q&As

Here are a few questions/answers to help clear up any potential confusion:

Q1: Can VM1 and VM2 communicate with each other?

A1: Yes, they can, as long as they are using the same VLAN ID and the Hyper-V virtual switch is also configured with the same VLAN ID (Access Mode) or configured in the Trunk Mode.

Q2: Can VM3 communicate with VM1 or VM2?

A2: No. VM3 is configured with a VLAN ID 5, but the virtual switch (vSwitch1) can only accept network packets that are tagged with VLAN ID 4. So, to allow communication between all virtual machines (VM1, VM2 and VM3 in this example), vSwitch1 must be configured in the Trunk Mode. In other words, you must uncheck the "Enable VLAN identification for management operating system" setting.

Q3: How can we restrict communication between VM1 and VM3 and at the same time allow VM2 to communicate with a server on an external LAN?

A3: To restrict communication between VM1 and VM3, you must configure VM1 and VM3 with the same VLAN ID and then configure vSwitch1 in Trunk Mode. This configuration will force vSwitch1 to receive all network packets from all the virtual machines connected to it.

Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He has specialized in Microsoft Technologies since 1994 and has followed the progression of Microsoft Operating System and software. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Solution IDs for www.Dynamic-SpotAction.com. Nirmal can be reached at nirmal_sharma@mvps.org.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.